Cyber Incident Victim: Aeries Student Information Systems

Aeries Software detected unauthorized attempts to access data through its Aeries Student Information System (SIS) in late November 2019. The company initiated an internal investigation but initially found no evidence of system or data compromise. Despite this conclusion, Aeries deployed security patches in the December 20, 2019 software update to address vulnerabilities identified during their probe. The situation escalated in late January 2020 when a locally hosted school district reported potential unauthorized database access to law enforcement, triggering a criminal investigation. Aeries collaborated with the affected district and authorities—including LFocus law enforcement and federal agencies—to expand their investigation through March 2020. This joint effort revealed that attackers had exploited authentication systems to access Parent and Student Login credentials, physical addresses, email addresses, and password hashes.

Forensic analysis determined the breach occurred on or around November 4, 2019, potentially affecting 166 databases in Aeries' hosted environment. The compromised data included Student Permanent IDs alongside the authentication credentials and contact information. Password hashes presented particular risks as weak passwords could be reconstructed from these cryptographic representations. Authorities apprehended the perpetrators by May 28, 2020, terminating further unauthorized access. Impact notifications began with four districts in April 2020, expanding to at least 26 California school districts and education offices by June 2020, including Los Alamitos Unified, Santa Barbara Unified, Beverly Hills Unified, and San Bernardino City Unified. The criminal investigation remained ongoing at the time of Aeries' April 27, 2020 public disclosure, with no confirmation of actual data misuse beyond unauthorized access.